A large data breach of Yahoo accounts in 2013, before Verizon acquired the company caused enough turmoil, but the damage apparently is not yet over. Originally, 1 billion people were thought to have been affected by the security breach, but the numbers keep rising. Over 3 billion people may be affected by the breach, making this the largest theft of user information to date.
Yahoo required users that were identified as potentially affected by the hack to change their passwords in 2016. Now all Yahoo users are believed to be potentially affected by the theft of encrypted data that occurred in 2013. Fortunately, no personally identifiable clear text data was leaked, but weak passwords and ever increasing compute power could make it very easy to break security methods employed.
At the time of the data theft, Yahoo was using the MD5 hash algorithm to protect user account passwords. Since then, MD5 has been determined to be cryptographically insecure and should not be utilized for new systems. Following the security breach, Yahoo began a transition to the more secure Bcrypt hashing algorithm with added salts and multiple passes through a hash function.
If you were a Yahoo user back in 2013, any passwords and security questions used then should be considered insecure for future use. Remember that security question answers do not have to actually answer the question being asked. Any phrase can be used as a security question answer as long as you can remember it to help keep your account secure.
https://www.techspot.com/news/71247-yahoo-reveals-3-billion-user-accounts-have-risk.html
